Ph.D. Student Finds Phone Tracking Hack that Exploits SMS Delivery Receipts

A Northeastern University Ph.D. student is sounding the alarm over a weakness in the SMS service which, he and his team say, motivated hackers could use to locate high-profile individuals.

Evangelos Bitsikas and his fellow researchers at Boston-based Northeastern found that anyone using an Android phone can be pinpointed on a global map simply by bombarding their phone with text messages.

Pioneered in the 1990s, SMS technology is still widely used today with few amendments to its underpinnings, raising concerns about the possibility of exploiting various inherent weaknesses.

One of those weaknesses, Bitsikas notes, lies in how the phone pings back receipts of delivery to the phone network.

Bitsikas explained to reporters that a hacker can send multiple text messages to the target cell phone and, using the timing of automated delivery replies, triangulate the victim’s location - even if communications are encrypted.

Bitsikas is the first to admit this attack isn’t easy to pull off, requiring multiple phones to pepper the target device with messages to triangulate its location. Moreover, the data gathered needs to be parsed through machine learning models to become intelligible.

"We are researchers with limited resources and we are not experts in data science," Bitsikas said. "What I'm afraid of is that advanced attackers—hacker groups, state-sponsored agencies, police, who of course have more resources—can achieve greater impact with this kind of attack."

Fixing the problem isn’t as straightforward as developing a patch.

According to TechXplore, Bitsikas has been told that GSMA plans to add countermeasures to thwart any attacks, but the window won’t close entirely without a major overhaul of the global SMS system.

The idea of using SMS to force a phone to ping its location isn’t entirely new. In 2010, German police used a similar method to send "silent SMS" messages for tracking suspects.

It isn’t clear if Bitsikas’ method only works with Android phones, or whether the team simply didn’t test out their method on iOS as well.

The full research can be found here.